Security researchers have discovered seven vulnerabilities in nearly 400 models of IP camera from a well-known manufacturer, some of which could be exploited to remotely control the devices.
The team at security vendor VDOO made the discovery as part of wider research into a range of leading IoT products from a broad sweep of manufacturers.
It claimed to have responsibly disclosed the flaws to Axis Communications, which has since released new firmware to address the bugs in 390 models of its internet-connected surveillance cameras.
The vulnerabilities in question are: CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663 and CVE-2018-10664.
VDOO claimed that by chaining three of these together, attackers could access the camera login page remotely via the network without needing to authenticate.
With full control over the devices they could access or freeze the video stream, move the lens or turn motion detection off, conscript the device into a botnet for DDoS, Bitcoin mining and other ends and even use it as a beachhead into the main network.
“To the best of our knowledge, these vulnerabilities were not exploited in the field, and therefore, did not lead to any concrete privacy violation or security threat to Axis’s customers,” the firm concluded.
“We strongly recommend Axis customers who did not update their camera’s firmware to do so immediately or mitigate the risks in alternative ways.”
VDOO also released some guidance for IP camera device manufacturers, claiming to have uncovered plenty of “bad architectural practice.” This includes privilege separation for processes, input sanitization, minimum use of shell scripts and binary firmware encryption.
This isn’t the first time Axis Communications has been singled out for attention by security researchers.
In July last year, IT security firm Senrio revealed Devil’s Ivy, a major flaw in the widely used gSOAP web services toolkit which made its way into potentially tens of millions of devices, including those produced by Axis.